Proxy-dns as service on macOS


#1

Hey

I’ve successfully got cloudflared running the proxy DNS service interactively on macOS. Although it would be good for it to have its own embedded entries for cloudflare-dns.com (rather than rely on /etc/host entries I had to add). Even better if the DoH service could run on https://1.1.1.1 :wink:

I have not been able to get it to run as a service, however. cloudflared service install will run with any arguments. Even if I tweak the generated plist and supply proxy-dns argument the daemon still does not work. Presumably, it is more geared towards Argo at this point?

Obviously doing something wrong, so could use some official instructions on https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/.

Thanks :slight_smile:
G


#2

@graeme, can you share what you added to /etc/host?

What happens if you run w/ the following:
sudo cloudflared proxy-dns --port 5354


#3

Hi @joaquin, I am not sure I explained well enough to start with. I can run DoH using sudo cloudflared proxy-dns just fine interactively. However, if I want this to start on boot, it would need to be created as a service, ie, cloudflared service install. Is this supported? If so how can I configure it please?

If I modify my /etc/resolv.conf such that the nameserver is 127.0.0.1, I figured sudo cloudflared proxy-dns had no way to lookup cloudflare-dns.com. I therefore added:

104.16.111.25 cloudflare-dns.com
104.16.112.25 cloudflare-dns.com

#4

We added a page on developers.cloudflare.com that describes how to get things running with either cloudflared or dnscrypt-proxy.


#5

See if this helps?


#6

and this is the portion I think will resolve it for you as well…

sudo cloudflared service install
INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml
INFO[0000] Installing Argo Tunnel as an user launch agent
INFO[0000] Outputs are logged in /tmp/com.cloudflare.cloudflared.out.log and /tmp/com.cloudflare.cloudflared.err.log


#7

Thank you @joaquin and @cscharff the updated cloudflared and instructions have worked perfectly. My Mac is now using DoH :clap:t2:


#8

Yeah, they worked for me as well!


#9

What about after you reboot? My experience is that it does not relaunch on reboot, even with the latest version. See my thread above, that cscharff linked to.

Reboot, then "[email protected] cloudflare.com" from terminal. Do you get A records, or does it just hang?


#10

I have just tried and found the same behaviour. The logs say:

time="2018-04-06T14:54:19+01:00" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://localhost:53"
time="2018-04-06T14:54:19+01:00" level=fatal msg="Cannot start the DNS over HTTPS proxy server" error="failed to create a UDP listener: listen udp 127.0.0.1:53: bind: permission denied"

As documented, I installed using sudo cloudflared service install.


#11

@ddiller can you try uninstalling the current service, and upgrading cloudflared do at least 2018.4.3?

The issue with the old version is that launch agents installed in users’s home do not run as root (despite the ownership). The new version installs the launchd service file in /Library, which fixes the permission issue.

@graeme The cloudflared 2018.4.4 has https://1.1.1.1/dns-query and https://1.0.0.1/dns-query as default upstream endpoints, so you don’t have to use /etc/hosts anymore.


#12

Hi @mvavrusa, thanks for the heads up about 2018.4.4. I have upgraded.

Any thoughts on:

time="2018-04-07T09:51:05+01:00" level=fatal msg="Cannot start the DNS over HTTPS proxy server" error="failed to create a UDP listener: listen udp 127.0.0.1:53: bind: permission denied"

Service was installed using sudo and com.cloudflare.cloudflared.plist is in /Library/LaunchAgents. Am running macOS 10.13.4.


#13

Try a

$ sudo mv /Library/LaunchAgents/com.cloudflare.cloudflared.plist /Library/LaunchDaemons/

and reboot.

Does it work for you now? (Mine does!)


#14

Thanks for investigating this @ddiler! I’ll make the /Library/LaunchDaemons default in the next version.


#15

That works a treat @ddiller, thanks.